Archive for the ‘ SysAdmin ’ Category

VMware Replication & Recovery

The following three videos show how to create virtual machine offsite replication in your vCenter server on any available storage drive in your server.
This solution is available freely from VMware and can be integrated into all type of vCenters, even into VMware Small Business Essentials Plus.
To download VMware replication follow this link: VMware Replication

The backup storage can be a network share mount or a local drive.
If you use for example an NFS share or iSCSI storage, then this gives you the benefit of an offsite backup for your virtual machines.
The replication is automatic and scheduled to run in the background on the vCenter server.

The offsite backup, can be restored with out the vCenter server, if for any reason vCenter is unavailable.
In this case you need to add manually the backed up machine onto your vCenter or stand alone ESXi server’s inventory.

 

 

SPF record setup for mail server

How to set up and test SPF record for mail server:

Let’s check Google’s SPF record first with dig command.

[root@mail ~]# dig txt google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> txt google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52169
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN TXT

;; ANSWER SECTION:
google.com. 3599 IN TXT “v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all”

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 27 08:47:05 2015
;; MSG SIZE rcvd: 116

[root@mail ~]#

In the answer section you can see the IP addresses. These are the servers which allowed to send mails via google.com.
So you have your domain name e.g. google.com and you have your mail server on it with an A record mail.google.com. This server can send mails for its own name, but any other servers are not allowed to send mails. With the SPF record, you can send mail from the IP address via google’s mail server. So server 216.73.93.70 and 72 can send mails (relay) via google’s mail server.

Also you can use domain names in SPF record and tell the server to use that instead of the IP address.

[root@mail ~]# dig txt smsnetmonitor.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> txt smsnetmonitor.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64785
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smsnetmonitor.com. IN TXT

;; ANSWER SECTION:
smsnetmonitor.com. 21599 IN TXT “v=spf1 ip4:212.23.51.62 include:cloudsupportuk.com include:cctvalarm.net include:7layer.org include:smsgpstracker.com ~all”
smsnetmonitor.com. 21599 IN TXT “v=DMARC1\; p=none\; adkim=r\; aspf=r\; sp=none”

;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 27 08:59:31 2015
;; MSG SIZE rcvd: 225

[root@mail ~]#

 

Create and check SPF records:

http://www.spfwizard.net/
http://www.mtgsy.net/dns/spfwizard.php

http://mxtoolbox.com/spf.aspx
http://vamsoft.com/support/tools/spf-syntax-validator

Header check for emails to analyse SPF and other issues:

https://toolbox.googleapps.com/apps/messageheader/
http://mxtoolbox.com/EmailHeaders.aspx

 

 

Debian Distro Upgrade

So let's make our hands dirty with some Debian Linux distro update!
It happened to be this week I have received a complaint against one of our server, which had some dodgy outdated PHP packages installed on it.
I had to investigate that what has happened with the box and fix the issue.
I figured out it has Debian lenny installed on it, which considered quiet old and end of life support.
For this release has no security update since 2012, so it must be updated to never release to fix this issue.
Although this box is behind a firewall, but still it's dangerous to have an outdated box sitting on the net.
So I had to do full distro update on the box, which will follow here:
First I installed the latest packages from the original distro, which was lenny.
After the update I rebooted the box and changed the source to squeeze:
# nano /etc/apt/sources.list
deb http://ftp.uk.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main contrib non-free
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
Then I started the upgrade process like this:
# aptitude update
# aptitude safe-upgrade
# aptitude dist-upgrade
Follow the instructions by the aptitude, it will asks what you want to do with the conflicting packages.
For example php.ini has a modified version, then what to do?
Keep the current modified version or use the provided one by the distro?
Sometimes you need to use the distro provided config file otherwise the service wont be able to start up.
For example I kept the mysql-server config and the new version could not start up.
So I replaced to the new one and modified the config with some old settings and viola it started up just fine.
So to do upgrade from lenny to wheezy you must upgrade first to squeeze, then to wheezy:
lenny -> squeeze -> wheezy
Be patient and prepare few good coffee for the upgrade, because it will take some time!

High Availability Postfix mail server on GlusterFS

The next article will be soon: High-available mail server on glusterfs.

– Two node CentOS Linux
– GlusterFS shared storage
– NFS share for mails on GlusterFS
– Postfix mail server with squirrelmail weblient
– Dovecot IMAP/POP server

 

So let’s get started.

In this article I used two local private nodes for testing.
You should change the IPs according to your real configuration. GlusterFS can manage different geo-locations to sync files/directories.
But if you want both servers at the same physical location then use a firewall for example pfSense or Snort and use local IPs behind the firewall.

GlusterFS part:

First edit the hosts file and insert all the nodes which will be in the cluster.

cat /etc/hosts
127.0.0.1    localhost    localhost.localdomain localhost4 localhost4.localdomain4
::1    localhost    localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.200    test2.local    test2
192.168.1.201    test3.local    test3

yum install glusterfs glusterfs-fuse glusterfs-server postfix dovecot

service glusterd start

gluster peer probe 192.168.1.201

gluster peer probe 192.168.1.200

On every node you should have the other nodes UUID peers.

ls /var/lib/glusterd/peers

878b63e8-5a3c-4746-984a-a14f4918c4b8

cat /var/lib/glusterd/peers/878b63e8-5a3c-4746-984a-a14f4918c4b8

uuid=878b63e8-5a3c-4746-984a-a14f4918c4b8
state=3
hostname1=test3.local

service glusterd status
glusterd (pid  1620) is running…

Start glusterd on other node too.
Then check glusterd status on both node:

gluster peer status (node1)
Number of Peers: 1

Hostname: test3.local
Uuid: 878b63e8-5a3c-4746-984a-a14f4918c4b8
State: Peer in Cluster (Connected)

gluster peer status (node2)
Number of Peers: 1

Hostname: test2.local
Uuid: 0d06c152-3966-4938-a1c4-84b624689927
State: Peer in Cluster (Connected)

Now let’s create the glusterfs volume.

Before you run the appropriate command be careful with sysctl! I had some trouble with: net.ipv4.ip_nonlocal_bind = 0 in sysctl.conf because I used the nodes for heartbeat and corosync to test them and I could not create glusterfs volume.
So change this from 1 to 0 in sysctl.conf and run sysctl -p to reconfigure this kernel parameter.

So create the volume:

gluster volume create gv0 replica 2 test2:/export/brick1 test3:/export/brick1

You could check the volume with this command too:

gluster volume info

Volume Name: gv0
Type: Replicate
Volume ID: da3d4c48-d168-4b4f-9590-e8d87cf5aa87
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: test2.local:/export/brick1
Brick2: test3.local:/export/brick1

Start the volume sharing with this command:

gluster volume start gvo

XFS part:

Next step install xfs modules.

modprobe xfs  (CentOS 6.3 already got installed kmod-xfs)

Create xfs file system on the extra disk that you want as a glusterfs volume.

mkfs.xfs -i size=512 /dev/vdb1

NFS part:

Then install nfs services.

yum install nfs-utils

And mount the nfs share as a glusterfs volume:

mount -o mountproto=tcp,vers=3 -t nfs test2.local:/gv0 /mnt/

Check the mounts:

mount
/dev/mapper/VolGroup-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/vda1 on /boot type ext4 (rw)
/dev/vdb1 on /export/brick1 type xfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
test2.local:/gv0 on /mnt type nfs (rw,mountproto=tcp,vers=3,addr=192.168.1.200)

Start services automatically at boot:

chkconfig nfs on

chkconfig glusterd on

Postfix Part:

Create a symbolic link to /var under /mnt

 ln -s /var/ /mnt/

Then insert into /etc/postfix/main.cf to front of every refer that contains /var/ an extra /mnt/ like this:

From this: mail_spool_directory = /var/spool/mail
To this: mail_spool_directory = /mnt/var/spool/mail

And configure Postfix as usual.

Dovecot Part:

Change the default mail location in /etc/dovecot/conf.d/10-mail.conf

from this: mail_location = maildir:~/Maildir
To this: mail_location = mbox:~/mail:INBOX=/var/mail/%u

In this configuration dovecot will keep the mails in the old unix format not new dovecot format.
And you can reach the mails from both nodes.

Configure the rest of dovecot as usual.

In this setup you should have a shared mail system on nfs volume, so users should be able to reach their mails all the time whatever happens with the other nodes. The MX records configured to deliver mails to the second node if the first unreachable.
You need to use same unix users on both nodes otherwise the user boxes will be mixed and can’t be successful the whole setup.

 

 

Dovecot POP3/IMAP server

The next article is about how to install and setup dovecot server.

Start a new terminal then install the dovecot server:

yum install dovecot

In the /etc directory edit the dovecot.conf file and add those changes as below here:

#you must add pop3 and pop3s to get these protocols work
protocols = imap imaps pop3 pop3s

#this part depend on what mail server you are using for eg.: Postfix, Sendmail
mail_location = mbox:~/mail:INBOX=/var/mail/%u

#you should add the mail group to the privileged user group otherwise dovecot wont be able to read the mailbox file
mail_privileged_group = mail

#You need to setup the uidl part otherwise the POP3 clients can’t follow of what messages they’ve downloaded from the server.
#More hints here: http://wiki2.dovecot.org/POP3Server
pop3_uidl_format = %08Xu%08Xv

#this part need for outlook to get it work. More hints here: http://wiki2.dovecot.org/Clients
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

#we need this part to reach the server with plain text authentication. Use basic pop3 authentication only just a secure environment! Otherwise use the secure SSL authentication.
#When you use the basic plain text authentication method, all the data travels unencrypted on your network. So the login details and the password could be catched by anyone.
#Use the encrypted SSL connection to secure the whole data travels. In the outlook thick the ” This server requires an encrypted connection(SSL) box”.
#After that the outlook will use SSL authentication method and every part of the communication will be secure.
#If you check the login details of the maillog file, you will see at the and of the line TLS
#I will show examples about this further below
disable_plaintext_auth = no

To get the SSL working you need to fill this part of the dovecot.conf:

ssl_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_key_file = /etc/pki/tls/private/dovecot.key
ssl_disable = no

Save the dovecot.conf and close it. We are set.

Start the service:

service dovecot start

Then test the pop3 server.

tail -F /var/log/maillog

This below is a basic plain text login method 110 port used:

Jan 22 00:11:04 ldapproxy dovecot: pop3-login: Login: user=<aaa>, method=PLAIN, rip=192.168.0.5, lip=192.168.0.30
Jan 22 00:11:04 ldapproxy dovecot: POP3(aaa): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jan 22 00:11:05 ldapproxy sendmail[8564]: p0M0B5XT008564: from=<aaa@opensourcetechnology.co.uk>, size=407,, nrcpts=1, msgid=<201101220011.p0M0B5XT008564@ldapproxy.localdomain>, proto=ESMTP, daemon=MTA, relay=[192.168.0.5]
Jan 22 00:11:05 ldapproxy sendmail[8566]: p0M0B5XT008564: to=<aaa@opensourcetechnology.co.uk>, ctladdr=<aaa@opensourcetechnology.co.uk> (505/505), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30693, dsn=2.0.0, stat=Sent

and this is how the Wireshark captured the login name and the password of the whole process:

pop3-nosecure1

Then change the authentication method in the outlook to use the SSL. (port 995)

The maillog will look like this one:

Jan 22 00:23:38 ldapproxy dovecot: pop3-login: Login: user=<aaa>, method=PLAIN, rip=192.168.0.5, lip=192.168.0.30, TLS
Jan 22 00:23:38 ldapproxy dovecot: POP3(aaa): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jan 22 00:23:38 ldapproxy sendmail[9010]: p0M0NcNf009010: from=<aaa@opensourcetechnology.co.uk>, size=407,, nrcpts=1, msgid=<201101220023.p0M0NcNf009010@ldapproxy.localdomain>, proto=ESMTP, daemon=MTA, relay=[192.168.0.5]
Jan 22 00:23:38 ldapproxy sendmail[9011]: p0M0NcNf009010: to=<aaa@opensourcetechnology.co.uk>, ctladdr=<aaa@opensourcetechnology.co.uk> (505/505), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30693, dsn=2.0.0, stat=Sent

Have you noticed that the TLS at the and of the line? The whole communication was encrypted!
Take a look the Wireshark’s captured data. The whole process was encrypted.

pop31

To test your dovecot server locally without any pop3 client just start telnet:

[root@ldapproxy etc]# telnet 192.168.0.30 110

Trying 192.168.0.30…
Connected to 192.168.0.30 (192.168.0.30).
Escape character is ‘^]’.
+OK Dovecot ready.
user aaa
+OK
pass 123456
+OK Logged in.
list
+OK 1 messages:
1 743
.

retr 1
+OK 599 octets
Return-Path: <root@ldapproxy.localdomain>
Received: from ldapproxy.localdomain (localhost.localdomain [127.0.0.1])
by ldapproxy.localdomain (8.13.8/8.13.8) with ESMTP id p0O07gY3032579
for <aaa@ldapproxy.localdomain>; Mon, 24 Jan 2011 00:07:42 GMT
Received: (from root@localhost)
by ldapproxy.localdomain (8.13.8/8.13.8/Submit) id p0O07gRw032578
for aaa; Mon, 24 Jan 2011 00:07:42 GMT
Date: Mon, 24 Jan 2011 00:07:42 GMT
From: root <root@ldapproxy.localdomain>
Message-Id: <201101240007.p0O07gRw032578@ldapproxy.localdomain>
To: aaa@ldapproxy.localdomain
Subject: test

test
quit
.

More references and hints here: http://wiki2.dovecot.org/http://wiki.dovecot.org/MainConfig
And troubleshoot here: http://wiki.dovecot.org/QuestionsAndAnswers

Linux/Windows Troubleshooting part 2

Network troubleshooting part 2:

The next article is about some basic DNS troubleshooting.
First we will do it on Linux with dig command, then we will check out nslookup on Windows too.

dig any 7layer.org @8.8.8.8

This command will check 7layer.org domain at google’s DNS server(@8.8.8.8) and will ask for all available records (any) on this domain.
I have highlighted every important parts of this command. All in all 7 records been found as you can see on this picture above:

dns-1

 

You can change the server easily with the @ part. You can put your own DNS server if you want to check your updated local DNS server.
The fully DNS zone propagation(update) theoretically takes 2 days, but usually enough few hours to get updated nearly everywhere.
If you completely lose the @server-IP-address then dig will use the current DNS server address from /etc/resolv.conf.
For example:

dig any 7layer.org

To check only the MX records for the domain change the any to mx like this:

dig mx 7layer.org

dns-5

The next one is how to check the reverse record for the domain.

dig -x 78.46.184.202

As you can see in the answer section the command found the reverse record for the domain which is mail.7layer.org.

dns-2

So let’s take a look at this with Windows nslookup:

nslookup

server 8.8.8.8

set type=any

7layer.org

dns-3

 

You can see that in the answer parts all the nameserver addresses and A records are there, also both MX records have been presented.
To check only MX records then you could easily change the type to mx, like this:

set type=mx

You will get only the MX records result from the server:

dns-4

 

Windows Update troubles:

I was just updating few servers at my workplace remotely at the datacenter and 1 of them didn’t reboot properly.

So the issue was this:

– Server updated with new service packs.
– Reboot has been processed and started via RDP(remote desktop).
– The RDP can’t be reachable anymore, because that service has been shut down already and connections has been shut down.
– Server still pingable.
– No any other way to reach the server anymore. (IPMI/KVM/DRAC)

Solutions: 

– Go to datacenter and restart the server manually. On Saturday is not a good fun, let’s be honest
– Phone up the datacenter to ask for remote hand… Takes ages to explain everything, server number, rack location etc…
– Download PsTools from here: http://technet.microsoft.com/en-gb/sysinternals/bb896649.aspx and kill the winlogon process which stuck on the server.

Extract PsTools and first try this command:

psexec \\REMOTE_SERVER_NAME shutdown /r /t 0

This will try to execute shutdown command on the remote box and restart the server. The /r means reboot the /t switch is the time which is zero.
If this wont help for some reason then you could try to use the pskill.exe command.

pskill [-t] [\\computer [-u username [-p password]]] <process ID | name>

pskill \\10.0.0.10 -u mydomain\Administrator -p mylovelypassword Winlogon

This should work and you wont need to go to datacenter neither to phone them up and asking for the reboot.
You can monitor the server with ping command and you will see when the server really reboots, because you will lose ping from it.

This one saved me so many times on my weekends, when I usually make Windows updates. ( Just like right now:) )
Weekdays you can’t really do Windows updates on corporate servers, because they are heavily used by users, so reboot is not a good idea that time.

Next issue will be posted shortly…

Linux/Windows Troubleshooting part 1

Network troubleshooting part 1:

Checking open ports on box:

netstat -natlp

It will tell you the locally open ports with the running daemon name also.
As you can see on the picture the first red cubic is the named daemon DNS name server is listening on the 127.0.0.1:53 local port. The second red cubic is the (78.46.184.202:22) ssh daemon which is the remote session terminal.You can see the local and the remote address on these picture.

netstat-1
If you want to check all the listening udp and tcp ports then you need to add and extra u at the switches which will provide the udp connections also.

netstat -natlpu

netstat-2

 

On this picture you can clearly see the Asterisk and Named servers are listening on 5060 and 53 ports.

So if you want to check any running daemon or application on your box just issue any of those commands and you will see if they are listening on the local ports or not. This is the easiest way to figure this out.
If you stop for example smtp daemon or imap daemon, then the port(s) will disappear straight away.

Netstat is available by default in any major Linux distro also available in every old and new Windows.
Under Windows you need much less switches:

netstat -an -p tcp

netstat-3

netstat -an -p udp

netstat-4

The first command will show you all listening, connected and waiting tcp connections.
If you have so many wait/close connections then probably someone is attacking your box remotely.
I have seen it on Exchange server 2010, it had more then 100 wait/close connection against port 110, because someone tried  to brake into that server with brute force attack. The sysadmin didn’t lover down the maximum available connection per IP, it was on default which is 2000.

#######################################################

The next command will show you all the listening UDP connections. If you have a DNS server or an Asterisk SIP server they will listen on UDP and you will see those ports up and open.

Nmap:

My other favorite command on Linux and Windows is the nmap. This application can scan local and remote IP addresses or domain names to show you the open/listening ports. Also you can trace your whole local or remote network which IP addresses are used or which port(s) listening/open. By default nmap is not installed on any major Linux distro, so you need to install it.

CentOS/RedHat/Fedora:

yum install nmap

On Debian/Ubuntu:

apt-get install nmap

On Windows:

http://nmap.org/download.html#windows

Few examples for port scans:

nmap localhost

This will show you all locally listening applications/daemons on your box:

nmap-1

 nmap IP_address or domain name

This command will show you all the listening ports on the host that you check. (IP or name)

nmap-2

Nmap local network scan to discover up and running hosts on your local network:

nmap -sP 192.168.0.1-254

nmap-local-scan

Also Nmap can do remote IP address scan. Be careful with this, just only do it for testing /troubleshooting purpose not for fun!
Port scans usually logged by firewalls/servers and your IP address will be logged, so you can be traced if you did something.

nmap -sP 86.1.80.1-20

nmap-remote-scan

#######################################################

Next troubleshooting tools is traceroute/tracert:

Linux: traceroute, Windows: tracert.

Lets do a traceroute first on Linux box:

traceroute 7layer.org

traceroute-1

 

I used capital I and n to force traceroute to use icmp protocol for tracing and n to avoid name resolution.
As you can see on the picture the jump via routers showing the whole route how the package reach my server.
The last address is my server address at Hetzner. This is the best way to figure out for example how the packets reaching your server.
If you have multiple path like two ISP broadband, then how you will know that what way the packets getting into your box?
Also when you are testing firewalls this and something is not correct, then you can check with this if the packets getting on the appropriate way.
For example you are connected into a VPN and in the meantime you are testing a firewall and the remote VPN default gateway address has been used.
So every packet will travel via VPN instead of your local network gateway (if the VPN’s configured that way) and you got lost with the firewall troubleshooting.

On Windows you can use this tool also:

tracert -d 7layer.org

The -d switch is compulsory I would say otherwise every IP address will be resolved into names and takes ages to get back the results.
I guess you don’t really want to wait, so use all the time -d switch  otherwise takes too long the whole tracing process.

w-traceroute

#######################################################

Back to Linux again.

How to check the running processes under Linux box?
You have the ps tool which can list every background processes in your running system.
So try to run and check the output, you will see many processes in the screen.

ps  ufxa

This command will show you the background process name including the directory which is it running from.
Also it will show you the user name who runs the actual process and also the process’s memory and cpu usage will be shown by this command.

ps-process

For example check the mysql daemon. The third red cube shows the 2.9 which is the percentage of the current memory usage by mysql daemon.

#######################################################

Next command is the mtr that we will take a look more closely.
Mtr is stands for my traceroute which is a real time traceroute application.
This is not installed by default on any distro you need to do it from repository.

CentOS/Fedora/RedHat:

yum install mtr

Debian/Ubuntu:

apt-get install mtr

So let’s do some mtr tracerouting:

mtr yahoo.com

This will traceroute the whole route till yahoo.com.
As you can see there are some packet losses at core1.hetzner.de but not much.
The other route path look clean and fine, no packets loss whatsoever.

mtr-1

The next mtr trace is to google’s public DNS server address:

mtr-2

 

To be continued…

Dns-Tools

DNS tools for sysadmins. Coming soon: SPAM database check.

– Nmap firewall check

– Nslookup domain check. (All records shown)

– Traceroute, tracing packets route

– Reverse DNS check

– Ping check

– Whois tool domain checker

–  Password generator

– Send test mail via 7layer.org mail server

https://www.7layer.org/dnstools/  user: admin password: admin

Scanning logged… 

This tools for checking, please do not use it for abuse! 🙂

Sendmail server setup

Sendmail mail server setup and configuration step by step.
Let’s start and setup our first sendmail server.

First thing to do is install the packages that we need.

yum install sendmail sendmail-cf

Then edit the sendmail.mc file and make those changes above.

Find the line:

dnl define(`confAUTH_OPTIONS’, `A p’)dnl

and change it to:

define(`confAUTH_OPTIONS’, `A p’)dnl

Then change those lines above. This is need to get outlook express and Mozilla to work with plain text authentication.
Use it only in a secure local network, otherwise use a different authentication mechanism for example ssl.

From this:

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

To this:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

Next step is change the queue parts for fine tuning from these:

dnl define(`confTO_QUEUEWARN’, `4h’)dnl
dnl define(`confTO_QUEUERETURN’, `5d’)dnl
dnl define(`confQUEUE_LA’, `12′)dnl
dnl define(`confREFUSE_LA’, `18′)dnl

To these:

define(`confTO_QUEUEWARN’, `4h’)dnl
define(`confTO_QUEUERETURN’, `5d’)dnl
define(`confQUEUE_LA’, `12′)dnl
define(`confREFUSE_LA’, `18′)dnl

Next thing is the maximum children numbers:

dnl define(`confMAX_DAEMON_CHILDREN’, `20′)dnl

To:

define(`confMAX_DAEMON_CHILDREN’, `20′)dnl

Then the maximum connection number per IP address from this:

dnl define(`confCONNECTION_RATE_THROTTLE’, `3′)dnl

To this:

define(`confCONNECTION_RATE_THROTTLE’, `3′)dnl

Next is the local daemon copy the line and insert your server’s IP address:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.40, Name=MTA’)dnl

If you are using public IP address then put that instead of the private one.
If you want to get IPv6 support then uncomment this line:

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl

To this:

DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl

Obvious the Address part should be filled properly.

Next find the line:

dnl FEATURE(`relay_based_on_MX’)dnl

and change this to:

FEATURE(`relay_based_on_MX’)dnl

If your server runs on a DSL or cable connection then you need to change the smart host part too:

define(`SMART_HOST’, `smtp.ntlworld.com’)dnl

Obvious change the smtp.ntlworld.com part to your provider. Then your server will be able to communicate through smtp protocol.
Save the sendmail.mc file, this part is done.

Next thing to do is edit the access file and insert your server’s IP address like this:

Connect:192.168.0.40            RELAY
Connect:192.168.0                   RELAY

Change the addresses to your server’s IP address and for your local network address too.
The second line needs for the clients computers on your network to be able to relay with the server.
If you are using public IP address then put that IP instead of the private one.
This file enables the sendmail server to reject and accept domain(s) and IP addresses.

When this done you need to hash the access file with this command:

makemap  hash /etc/mail/access.db &lt; /etc/mail/access

Next thing to do is enter the domain name(s) that you have into the local-host-name file like this:

vi /etc/mail/local-host-names

opensourcetechnology.co.uk
mylovelydomainname.com
mythirddomainname.com

Then save the file and close it.
Create a test user for this email account:

useradd –s /sbin/nologin test1

Change the password for the test1 user:

passwd test1

Then edit the aliases file under the /etc directory and put these line into it:

test1:         test1

Save and close it then issue the newaliases command:

newaliases

/etc/aliases: 78 aliases, longest 10 bytes, 781 bytes total

After this you got a test1@opensourcetechnology.co.uk email address.
If you want more addresses for this account just edit the /etc/aliases file and save it.
Then issue the newaliases command to be accept the new lines from the aliases file.

We are finished with the sendmail part. Let’s compile the sendmail and start it.

make clean
make all
make restart

You can start any service in CentOS Linux with these commands:

service sendmail start

or

/etc/init.d/sendmail start

Check the sendmail service because it should be switched on otherwise the next reboot the servcie wont start with the chkconfig command:

chkconfig sendmail on

Be carefull with postfix, exim and any another mail servers. Only one mail server can run on the 25 smtp port. So check the service to be switched off with the command:

chkconfig postfix off
chkconfig exim off

And check the firewall smtp port that should be enabled. You can check this with iptbales command:

iptables -L

If it says “ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:smtp” that is fine.

Last thing to do is change the server name for the appropriate one.
Go to /etc/sysconfig and edit the network file.

vi /etc/sysconfig/network

Change this:

HOSTNAME=localhost.localdomain

To:

HOSTNAME=mail.opensourcetechnology.co.uk

That’s it we are done. After this you should restart the server otherwise the server name wont change.
Before that save every open files!!!
You can restart the server with this command:

shutdown -r now (-r means restart the box. If you put -h the server wont restart it will stay in halt state)

After you rebooted the server test the sendmail server with this command:

telnet localhost 25

###################
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 mail.opensourcetechnology.co.uk ESMTP Sendmail 8.13.8/8.13.8; Sun, 16 Jan 2011 19:14:03 GMT
helo me
250 mail.opensourcetechnology.co.uk Hello localhost.localdomain [127.0.0.1], pleased to meet you
mail from:lszabo@opensourcetechnology.co.uk
250 2.1.0 lszabo@opensourcetechnology.co.uk… Sender ok
rcpt to:test1
250 2.1.5 test1… Recipient ok
data
354 Enter mail, end with “.” on a line by itself
subject:test
test
.
250 2.0.0 p0GJE39C006422 Message accepted for delivery
quit
##################

To check the open ports on your box use the nmap command.

nmap localhost
nmap 192.168.0.40
nmap myexternalipaddress

Hints for DSL/Broadband connections:

If your server is behind a firewall don’t forget to forward the 25 (smtp) port into your box.
On few DSL line you might have a problem with the MTU size. If the mails stuck into the Linux box then change the MTU size to 1420 in your router.
The DSL line is not a real Ethernet network. It is a pppoe (&lt;a href=”http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet”>http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet&lt;/a>) line so the MTU size is smaller then a real Ethernet and it can cause trouble for sendmail.
So if you are having this kind of problem(mail can’t go out from the box)  try to change this in the router and in the Linux box too.
In the Linux box the MTU size at the /etc/sysconfig/networking/devices/ifcfg-eth0

You can download all the configuration files from here:

sendmail.mc

local-host-names

access

Sendmail-Doc

Next blog will be about the Dovecot POP3/IMAP server.

Linux Bonding Interfaces for High availability.

Well this article is for bonding Ethernet interfaces into one for high availability and performance improvement on your Linux box.
Bonding is important if you want to have a high available server. If one interface goes down you still have backup interfaces left.
The interfaces can be programmed as: Balance Round-Robin, Back-up slave, Balance-tlb, Balance-alb, Balance-xor, etc…

So there are the steps to get it work on RedHat, Fedora and CentOS based systems.

Create the ifcfg-bond0 file at /etc/sysconfig/network-scripts/

touch /etc/sysconfig/network-scripts/ifcfg-bond0

Edit the file and change the IP address to match for your needs.

DEVICE=bond0
IPADDR=192.168.0.100
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
BROADCAST=192.168.0.255

Next step is to modify the interface cards configuration files.
cat /etc/sysconfig/network-scripts/ifcfg-eth0

eth0 should look like this:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

Then change the eth1 as well.
cat /etc/sysconfig/network-scripts/ifcfg-eth1

eth1 should look like this:

DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes

If you want more device to bond just change the ifcfg file(s).

After you setup the interfaces you need to setup the kernel module parameters.

Add the following lines to /etc/modprobe.conf file.

alias bond0 bonding
options bonding mode=balance-alb miimon=100

Next thing is load the kernel module.

modprobe bonding

Then restart the network service.

service network restart

You are set!

To test the bonding devices, list them with this command:

cat /proc/net/bonding/bond0

You can change the mode at the modules.conf file to fit for your system.
Take a look at this link for more reference: http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding and search for the “Bonding Driver Options” part to change the bonding mode.


 
Show Buttons
Hide Buttons